maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Benedict (JIRA)" <>
Subject [jira] (MNG-4626) Password encryption escaped mechanism doesn't work as advertised
Date Wed, 02 Jul 2014 13:44:44 GMT


Paul Benedict updated MNG-4626:

    Fix Version/s:     (was: Issues to be reviewed for 3.x)

> Password encryption escaped mechanism doesn't work as advertised
> ----------------------------------------------------------------
>                 Key: MNG-4626
>                 URL:
>             Project: Maven
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
> The current encryption scheme implemented by Maven avoids the use of cleartext passwords
on local files by allowing them to be encrypted locally and decrypted just before the maven
client requests from or deploys to a central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by Artifactory,
where passwords are _transmitted_ encrypted, and only decrypted on the server side by the
repository. Requests and deployments are made over http and transmitted in the clear. Where
the passwords are system passwords integrated to Active Directory or similar using LDAP, this
is not an option even within a company's LAN. I like the idea of where Nexus and the Maven
development stack in general is going (I listened to Jason's seminar recently and I'm keen
on much of where you are going). But passwords in the clear over http is a showstopper and
I'm surprised you haven't already borrowed this idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext passwords has
been mentioned by a colleague of mine in MNG-4611. We currently use Artifactory for EXACTLY
this reason (the password encryption) and maven logs loudly about the fact that the passwords
are encrypted.

This message was sent by Atlassian JIRA

View raw message